本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 計數推薦網站、IP 位址或相符規則
<a name="query-examples-waf-logs-count"></a>

本節中的範例會查詢感興趣的日誌項目計數。
+ [Count the number of referrers that contain a specified term](#waf-example-count-referrers-with-specified-term)
+ [Count all matched IP addresses in the last 10 days that have matched excluded rules](#waf-example-count-matched-ip-addresses)
+ [Group all counted managed rules by the number of times matched](#waf-example-group-managed-rules-by-times-matched)
+ [Group all counted custom rules by number of times matched](#waf-example-group-custom-rules-by-times-matched)

**Example – 計算包含指定字詞的 Referrer 數量**  
以下查詢會計算在指定的日期範圍內包含 "amazon" 一詞的 Referrer 數量。  

```
WITH test_dataset AS 
  (SELECT header FROM waf_logs
    CROSS JOIN UNNEST(httprequest.headers) AS t(header) WHERE "date" >= '2021/03/01'
    AND "date" < '2021/03/31')
SELECT COUNT(*) referer_count 
FROM test_dataset 
WHERE LOWER(header.name)='referer' AND header.value LIKE '%amazon%'
```

**Example – 計算過去 10 天內符合排除規則的所有相符 IP 地址**  
以下查詢會計算過去 10 天內 IP 地址符合規則群組中排除規則的次數。  

```
WITH test_dataset AS 
  (SELECT * FROM waf_logs 
    CROSS JOIN UNNEST(rulegrouplist) AS t(allrulegroups))
SELECT 
  COUNT(*) AS count, 
  "httprequest"."clientip", 
  "allrulegroups"."excludedrules",
  "allrulegroups"."ruleGroupId"
FROM test_dataset 
WHERE allrulegroups.excludedrules IS NOT NULL AND from_unixtime(timestamp/1000) > now() - interval '10' day
GROUP BY "httprequest"."clientip", "allrulegroups"."ruleGroupId", "allrulegroups"."excludedrules"
ORDER BY count DESC
```

**Example – 依相符的次數對所有計數的受管規則進行分組**  
如果您在 2022 年 10 月 27 日之前將規則群組規則動作設定為 Web ACL 組態中的計數，則 會將 Web ACL JSON 中的覆寫 AWS WAF 儲存為 `excludedRules`。現在，將規則覆寫為計數的 JSON 設定位於 `ruleActionOverrides` 設定中。如需詳細資訊，請參閱《*AWS WAF 開發人員指南*》中的[規則群組中的動作覆寫](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-rule-group-override-options.html)。若要從新的日誌結構擷取「計數」模式下的受管規則，請查詢 `ruleGroupList` 區段中的 `nonTerminatingMatchingRules` 而非 `excludedRules` 欄位，如下列範例所示。  

```
SELECT
 count(*) AS count,
 httpsourceid,
 httprequest.clientip,
 t.rulegroupid, 
 t.nonTerminatingMatchingRules
FROM "waf_logs" 
CROSS JOIN UNNEST(rulegrouplist) AS t(t) 
WHERE action <> 'BLOCK' AND cardinality(t.nonTerminatingMatchingRules) > 0 
GROUP BY t.nonTerminatingMatchingRules, action, httpsourceid, httprequest.clientip, t.rulegroupid 
ORDER BY "count" DESC 
Limit 50
```

**Example – 依相符的次數對所有計數的自訂規則進行分組**  
下列查詢會依符合的次數，將所有計數的自訂規則分組。  

```
SELECT
  count(*) AS count,
         httpsourceid,
         httprequest.clientip,
         t.ruleid,
         t.action
FROM "waf_logs" 
CROSS JOIN UNNEST(nonterminatingmatchingrules) AS t(t) 
WHERE action <> 'BLOCK' AND cardinality(nonTerminatingMatchingRules) > 0 
GROUP BY t.ruleid, t.action, httpsourceid, httprequest.clientip 
ORDER BY "count" DESC
Limit 50
```

如需有關自訂規則和受管規則群組的日誌位置的資訊，請參閱《*AWS WAF 開發人員指南*》中的[監控和調校](https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-testing-activities.html)。